Showing results for 
Search instead for 
Did you mean: 

Community Helping Community

Introducing the Cisco Security Packet Analyzer

Cisco Employee

Many organizations possess some level of security monitoring and incident response capability.  Often these teams are using telemetry data such as Syslog or NetFlow or specialized devices like firewalls or network or host based intrusion detection / prevention systems to apply information security policies and also to try and understand what's happening on the network.  In order to filter and block traffic on a network it helps to understand the packets in more depth.  The ability to retrieve packets and examine their payload contents is also invaluable in thwarting the exfiltration of sensitive information.   Cisco has offered packet capture both in IOS and on the ASA Firewall for years and that provides an important capability at those places in the network.  Now Cisco is taking that a step further in announcing the Cisco Security Packet Analyzer.

Being able to capture packets is relatively easy.  Being able to find specific packets in terabytes or more of packet storage is hard.  Cisco Security Packet Analyzer works with Stealthwatch and that products capability to collect and analyze network telemetry data to assist a user to locate specific connections and then build a very specific search string that is used to find and extract the packets representing that connection.  Using the Stealthwatch capability of being able to search and locate specific connections; we eliminate the use of wildcards in the packet search process.  Stealthwatch adds the precision of being able to locate and describe a connection using the source and destination address, the protocol and port used, and the time to the hundredth of a second.  The results produced by this more precise search string are a dramatic decrease in the number of matching packets and smaller extract size.  That translates directly into fewer packets to examine in order to find interesting data.

The Cisco Security Packet Analyzer is a purpose built packet capture, storage, and analysis appliance built by the same team that developed the Cisco Network Analysis Module appliance.  The Packet Analyzer is built on a UCS C240 platform 2 rack unit (RU) platform that features 128 Gb of RAM and 48 Tb of disk storage.  That storage capability can be further expanded through the use of the 12G SAS HBA with 8 external ports.

Security Packet Analyzer attaches to the network via a SPAN port or network TAP.  SPAN (short for Switched Port Analyzer) and also known as port mirroring or port monitoring allows traffic to be selected and copied to the port for further analysis or in this case capture. Originally a switch feature SPAN is also now available off many routers using the IP traffic export command.  Packet Analyzer also supports RSPAN (Remote SPAN for monitoring of switches across a network) and ERSPAN (much like RSPAN but encapsulates mirrored traffic over the LAN in a GRE tunnel).

While having all that storage is great; being able to selectively filter out traffic that by policy or technology you don’t want to capture is essential.  The Security Packet Analyzer features both software and hardware filtering.  Hardware filtering allows the Packet Analyzer to ignore packets without processing.  Software filters are more specialized and filter the capture based on characteristics in the packet such as source or destination address or port or VLAN tags.  It is important to exclude from capture both what you don’t want to later examine (by policy) or what you can’t later examine (voice or streaming video) in order to maximize use of the storage. 

The Cisco Security Packet Analyzer is available today on the Cisco GPL; part number SEC-PA-2400-K9.  When ordering you will need to specify one of the three interface types that the appliance should ship with. Those interfaces are a four port interface card equipped with RJ-45 ethernet connectors (4 x 1 Gb RJ-45), or a four port interface card equipped with SFP fiber connectors (4 x 1 SFP).  A two port 10Gb interface card (2 x 10 Gb SFP+) is also available at a higher price point.

1 Comment

interesting addd on for CCNP switch teaching about SPAN adds a security flavour which

a lot of students like

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here